https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-cert-saml/m-p/1246866#M7260 <P>Hello,</P> <P>&nbsp;</P> <P>I'm reaching out to see if anyone has configured GlobalProtect with cert+SAML authentication with multiple gateways across multiple firewalls.&nbsp; I've been attempting to configure this, however, whenever I use cert+SAML at the gateway and I attempt to switch gateways after logging in, the logs always show "client cert not present".&nbsp;</P> <P>&nbsp;</P> <P>I have both the root/intermediate configured under certificate and have an accompanying certificate profile with nothing special specifying those two certs.&nbsp; I have both machine and user certs issued to the machine/user respectively.&nbsp; App configuration is basic, setup with pre-logon (always-on) and is targeted for "any".&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>For context, I'm able to perform cert-only authentication and if i set the subject-alt name to email in the profile, it authenticates both machine and user respectively for whichever stage its at and determines the correct user.&nbsp; Likewise, with SAML only, everything works fine as well when switching gateways.&nbsp; It's only when I combine cert with SAML that it fails.</P> <P>&nbsp;</P> <P>I haven't been able to find many resources with concrete information on whether this is supported or not, most videos I've seen only specify SAML at the gateway.</P> Wed, 28 Jan 2026 14:39:45 GMT JordanAltmann 2026-01-28T14:39:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-cert-saml/m-p/1246866#M7260 <P>Hello,</P> <P>&nbsp;</P> <P>I'm reaching out to see if anyone has configured GlobalProtect with cert+SAML authentication with multiple gateways across multiple firewalls.&nbsp; I've been attempting to configure this, however, whenever I use cert+SAML at the gateway and I attempt to switch gateways after logging in, the logs always show "client cert not present".&nbsp;</P> <P>&nbsp;</P> <P>I have both the root/intermediate configured under certificate and have an accompanying certificate profile with nothing special specifying those two certs.&nbsp; I have both machine and user certs issued to the machine/user respectively.&nbsp; App configuration is basic, setup with pre-logon (always-on) and is targeted for "any".&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>For context, I'm able to perform cert-only authentication and if i set the subject-alt name to email in the profile, it authenticates both machine and user respectively for whichever stage its at and determines the correct user.&nbsp; Likewise, with SAML only, everything works fine as well when switching gateways.&nbsp; It's only when I combine cert with SAML that it fails.</P> <P>&nbsp;</P> <P>I haven't been able to find many resources with concrete information on whether this is supported or not, most videos I've seen only specify SAML at the gateway.</P> Wed, 28 Jan 2026 14:39:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-cert-saml/m-p/1246866#M7260 JordanAltmann 2026-01-28T14:39:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-cert-saml/m-p/1247925#M7278 <P>The "Client Cert Not Present" error during a gateway switch usually stems from a mismatch in how the session cookie handles the multi-factor requirement. When moving between firewalls, GlobalProtect attempts to use an Authentication Override cookie to maintain a seamless connection; however, if the new gateway is configured to strictly require a certificate handshake before accepting that SAML-based cookie, the process fails because the certificate isn't being re-presented during the cookie validation phase. To resolve this, ensure that all firewalls share the same Certificate Profile and have "Any" or "User/Machine" selected, and most importantly, verify that "Accept Cookie for Authentication" is enabled on all gateways with a matching Cookie Lifetime to allow the authenticated session to roam without triggering a fresh, manual certificate prompt.</P> Wed, 11 Feb 2026 09:58:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-cert-saml/m-p/1247925#M7278 jim65richards 2026-02-11T09:58:12Z